IT directors should resist being security scapegoats

IT directors and chief information officers must resist efforts by their CEOs to give them the total responsibility for IT security, a leading barrister has warned.

Leo King
June 7, 2007

Share

Twitter

Facebook

LinkedIn

Google Plus

IT directors and chief information officers must resist efforts by their CEOs to give them the total responsibility for IT security, a leading barrister has warned.

While chief executives have ultimate responsibility for the security of their organisations, and are accountable to the law as well as shareholders and customers, the IT directors have the technological understanding that is crucial to the IT security of the business. This means IT managers are often tasked by their chief executives, incorrectly, with sole responsibility for ensuring the business is secure.

Stephen Mason, a barrister with a background in electronic signatures, authentication, electronic evidence and other forms of IT security, said it was that crucial chief executives take security seriously and that their IT managers explain to them the risks present.

“IT directors bear a heavy responsibility themselves for IT security, because of their technical background,” Mason said. “But the IT departments should be trying to educate everybody, including their chief executives, where the risks are and what can go wrong.”

In legal terms, the person to take the blame depends on who is responsible for managing the data and who has committed a breach of the rules, according to Mason: “If an employee has downloaded something from the official database onto his PDA and that is against his contract, then he will take part of the blame.”

He continued: “But then you have to ask: Should he have been able to download that information?” In this instance, the IT director and the CEO could take the blame too, for failing to prevent access to the information. Mason insisted: “Those at the board level have to take responsibility - they are managing the business and that is why they need to know.”

The repercussions of such security failures can range from losing your job to ending up in prison, in severe circumstances where national regulatory rules over the handling of data have been broken. In cases where customer records have gone missing, there could be a breach of the Data Protection Act, which would seriously implicate those in charge of the records.